2 beano Apr 21, 2007 15:26

Yeah, but it will require lots of modifications again. I try to keep up with all security-related upgrades, but I might of course have missed something.
it's important to point out, additionally, that all versions of b2evolution up to and including version 0.9 .0.11 are susceptible to atleast one SQL injection exploit.
The first thing you need to do is upgrade.
If the files are currently chmod'd to 644, thats wonderful. Unfortunately, without knowing when the code was added, you cant really speak to what the permissions were at the time they were modified.
I know what youre going to say too :
"yeah, but im pretty sure they .."
If you havent re-modified them, What are the timestamps on these particular files when you look at them in your ftp?
Stream wrote:
Yeah, but it will require lots of modifications again. I try to keep up with all security-related upgrades, but I might of course have missed something.
If you are hacking the core files, that's sort of the way it goes. I've been through it, it's a pain, but its a must.
whoo wrote:
it's important to point out, additionally, that all versions of b2evolution up to and including version 0.9 .0.11 are susceptible to atleast one SQL injection exploit.
The first thing you need to do is upgrade.
If the files are currently chmod'd to 644, thats wonderful. Unfortunately, without knowing when the code was added, you cant really speak to what the permissions were at the time they were modified.
I know what youre going to say too :
"yeah, but im pretty sure they .."
If you havent re-modified them, What are the timestamps on these particular files when you look at them in your ftp?
I have about 60 blogs in total, only 8 of them were "hacked". All stub-files are chmod'd 644, the ones hacked are timestamped just after 2am last night (GMT).
whoo wrote:
Stream wrote:
Yeah, but it will require lots of modifications again. I try to keep up with all security-related upgrades, but I might of course have missed something.
If you are hacking the core files, that's sort of the way it goes. I've been through it, it's a pain, but its a must.
I know - been doing this for years with phpBB, but not on b2evolution...
Might be some of my code causing a security-hole so I'm just asking if someone else has heard of or experienced the same.
What is the CHMOD value supposed to be for stub files?
jj.
I don't know about the problem your experiencing specifically, but have you thought about ugprading to a release considered 'stable'?
http://b2evolution.net/downloads/index.html
ie 1.8 or 1.9